Alex “neat” A.

@viperbjk @HexRaysSA I'm guessing address 0x1001A100 isn't marked as volatile (see #volatile-memory" target="_blank" rel="nofollow noopener">docs.hex-rays.com/user-guide/dec…), so the first memory store is being optimized away.

Maybe I missed something obvious, but 0xAD98 is clearly written as R2 to R1, which points to 0x1001A100. However @HexRaysSA Decompiler seems to completely miss these instructions and I don't even see a switch happening there .... anyone any idea which magic option I missed ?

Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos labs.taszk.io/articles/post/…

After a bit of delay, we're finally releasing advisories for 139 vulnerabilities we found in 23 trustlets used on Huawei mobile devices. Some of them can be exploited to access the Secure World and retrieve sensitive data. 🧵 A thread of our most interesting findings

Slide is online: i.blackhat.com/BH-US-23/Prese…

Slides and demos of core escalation: github.com/hhj4ck/CoreEsc… Welcome to join me during the meet + greet this afternoon (Booth 3241 - Meetup Lounge, Business Hall)

Escaping Parallels Desktop with Plist Injection pwn.win/2023/05/08/par…

In this post I'll look at a patching issue that leaves Pixel 6 vulnerable to an already fixed bug for more than 5 months. This allows arbitrary kernel code execution and root from an untrusted app and shows some potential problems with backporting: github.blog/2023-04-06-pwn…

Live with this week's bounty episode in about 10 minutes. Today we have a Parallels Desktop toolgate bug, bypassing CloudTrail, and some GPT discussion. twitch.tv/dayzerosec

Our latest advisory is about a logic bug in Parallels Desktop that can be used to escape from VMs. It stems from a directory traversal and an incorrect use of Qt's strings resulting in unexpected behavior. 📝 blog.impalabs.com/2303_advisory_… 🗃️ github.com/Impalabs/CVE-2…

FaultyUSB: exploiting a TOCTOU race condition bug in recovery to get root on Huawei devices by emulating a malicious USB flash drive labs.taszk.io/articles/post/…

In this post I'll use CVE-2022-38181, a use-after-free I reported last year in the Arm Mali GPU driver to gain arbitrary kernel code execution and root from untrusted Android app. Not sure if the bug or the disclosure is more interesting: github.blog/2023-01-23-pwn…

Binary episode is live in about 10 minutes. Today we have a browser bug, a post by project zero on a linux kernel exploit, and some Huawei secure monitor bugs. twitch.tv/dayzerosec

Our newest advisory is about the Secure Monitor, a component of Huawei's TrustZone. It details 3 vulnerabilities (CVE-2021-39994, CVE-2021-22437, CVE-2021-39993) that we exploited to execute code at EL3, the highest privilege level of Android devices. blog.impalabs.com/2212_advisory_…

Going live for the binary episode of the podcast. Today we have a Huawei Hypervisor vuln, a FreeBSD stack overflow in ping, and some discussion on ChatGPT. twitch.tv/dayzerosec

Who watches the watchmen? With our latest blogpost and advisory, dive deep into the security hypervisor that protects the Android kernel of Huawei devices, and learn about the vulnerability we exploited to compromise it. 📝 blog.impalabs.com/2212_huawei-se… ⚠️ blog.impalabs.com/2212_advisory_…

Today we are releasing Hyperpom, a fuzzing framework for ARM64 binaries based on the Apple Silicon hypervisor. Check out our latest blogpost, as well as our GitHub repo, to learn more about the project and its internals. 📙 blog.impalabs.com/2211_hyperpom.… 🗃️ github.com/impalabs/hyper…

If you've missed our talk at @hexacon_fr, the recording of “Hara-Kirin: Dissecting Huawei Mobile Devices” is now available! Come with us for a guided tour of Huawei's Hypervisor and TrustZone, and learn about the cool bugs we discovered along the way. youtu.be/LxoHSrrGaNA

Here are the slides of our @hexacon_fr talk about breaking the privileged components of Huawei's mobile devices. Thanks to everyone who attended, we hoped you liked it, and stay tuned for the upcoming blog posts! github.com/Impalabs/confe…

Lunch is over and now it’s time for Maxime Peterlin and Alexandre Adamski from @the_impalabs to talk about « Hara-Kirin: Dissecting the Privileged Components of Huawei Mobile Devices » #HEXACON2022

This might be the best bug I found. Never thought I'd be writing a kernel exploit as reliable, clean and fast as a browser exploit. For a while I actually used this to root my research phone when can't be bothered to patch the rom: github.blog/2022-07-27-cor…